4 • 



We claim: 

1 . Ax^^mputerized method for key-based secure storage comprising: 

downloai^ng content and an access predicate that specifies requirements for an 
appHcation to accessHhe content; 



obtaining a storage key; 

encrypting the content using the stojicfe key; and 
associating the access ptedicate with the encrypted content. 




2. The computerized metho^^eftSJ^im 1, further comprising: 

decrypting the contentTor a^cess^ an appUcation only if the application meets the 

V 

requirements specified in the access predicate 



3. The computerized method of claim 1, wherein the storage key is an application storage 
key and obtaining the applicatioii storage key comprises: 
generating a seed value; 

producing a hash seed value based on the seed value using a one-way hash function; 



and 



generating the application storage key from the hash seed value. 



4. The computerized method of claim 1, wherein the storage key is a user storage key 
and obtaining the user storage ke^ comprises: 
generating a seed value; 

producing a first hash seedj value based on the seed value using a one-way hash 
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funcHon; 

^ducing a second hash seed value based on the seed value and a user identifier using 
a keyed hasli function; and 

generating the user storage key from the second hash seed value. 

5. The computerized method of claim 1, further comprising: 
obtaining anXoperating system storage key; and 

encrypting tha access predicate with the operating system storage key. 

6. The computerizen method of claim 5, further comprising: 

encrypting a plurality of other storage keys using the operating system storage key, 
wherein the other storage keys are selected from the group consisting of application storage 
keys and user storage keys! 

7. The computerized nJpthod of claim 5, wherein obtaining the operating system storage 
key comprises: I 

generating a seed valme; and 

generating the operating system storage key based on the seed value. 

8. The cofhputerized metmd of claim 1, wherein the storage key comprises an 
application storage iW and a user storage key to encrypt content containing portion specific 
to an application and a pVtion speVific to a user, and obtaining the storage key comprises: 

generating a seed value for t^ application; 
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producingW application hash seed value based on the seed value for the application 
using an appiication^specific one-way hash function; 

generating aiVapplication storage key from the application hash seed value; 
generating a seed value for the user; 

producing a firs^user hash seed value based on the seed value for the user using a one- 
way hash function; 

producing a seconfl user hash seed value based on the first user hash seed value and a 
user identifier using a keyepyhash function; and 

generating a user storage key from the second user hash seed value. 

9. The computerized metftod of claim 1, further comprising: 
storing the storage key in a key vault provided by a third-party; and 
recovering the storage key from the key vault. 

10. The computerized method of claim 9, wherein recovering the storage key comprises: 
requesting recovery of the stWage key; and 

providing information to the mird-party to enable validation of the request. 

The corn^tttmzed method of cJjaim 9, further comprising: 
selecting the key vku|t from a p^rality of key vaults provided by a digital rights 
management operating system. 

12. The computerized method of cf^ir^ 9, further comprising: 
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selecting the key vault\M^ignated by a provider of the content. 

13. The computerized methodpf claim 1 wherein the elements are performed in the order 
recited. 



14. A computer system compris^g: 
a processing unit; 

a system memory coupled to Ihe processing unit through a system bus; 
a computer-readable medium poupled to the processing unit through a system bus; and 
a generate key function executed from the computer-readable medium by the 
processing unit, wherein the generate key function causes the processing unit to generate an 



operating system storage key based on 

1 5 . The computer system of claim 
based on a seed. 



an identity for the operating system. 



4, wherein the operating system storage key is further 



16. The computer system of claim 1 
an application specific one-way 



L4, further comprising: 

hash function executed from the computer-readable 
medium by the processing unit, wherein the application specific one-way hash function causes 
the processing unit to generate an appl cation storage key from a hashed seed; and 

a generate application key function executed from the computer-readable medium by 

te application key function causes the processing unit 
)lication seed. 
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the processing unit, wherein the gener; 
to generate the hashed seed from an a] 



• 




17. The computer sysiem of claim 14, further comprising: 

a key-hash functio\ executed from the computer-readable medium by the processing 

\ 

\ 

unit, wherein the key-hash femction causes the processing unit to generate a user storage key 
from a hashed seed and an iqentity for the user; 

a one-way hash function executed from the computer-readable medium by the 
processing unit, wherein the one-way hash function causes the processing unit to generate the 
hashed seed from a previously \hashed seed; and 

a generate user key funqtion executed from the computer-readable medium by the 
processing unit, wherein the generate user key function causes the processing unit to generate 



the previously hashed seed from 



a user seed. 



^8. A comp^ter system comprising: 
a processing m^t; 

a system memory ^upledjto the processing unit through a system bus; 
a computer-readable ni^ium coupled to the processing unit through a system bus; and 
a digital rights management operating system executed from the computer-readable 
medium by the processing unit, v^he^in the digital rights management operating system 
causes the processing unit to encrypt downloaded content using a storage key based on a seed 
value. 



19. The computer system of c 



um 



18, wherein the digital rights management operating 
system further causes the processii^ u lit to encrypt an access predicate associated with the 
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downloaded content rising an operating system storage key, to encrypt the seed value for the 
storage key using the opiating system storage key, and to associate the encrypted access 
predicate with the encryptea\eed value. 

20. The computer system oVcrnim 19, wherein the digital rights management operating 
system further causes the processing unit to validate each application requesting access to the 
downloaded content using the accei^s^predicate, and decrypts the seed value for use by a 
validated application. 



2 1 . The computer system of claim 
downloaded content is specific to an af 



[8, wherein the storage key used to encrypt the 
lication. 



22. The computer system of claim 18* wherein the storage key used to encrypt the 
downloaded content is specific to aiJ^r. 

23. A computer-readable medium having computer-executable instructions stored thereon 
to cause a server computer to perform a metlod comprising: 

entering into a secure connection witWa client computer; 
obtaining a session key specific to the kecure connection; 
encrypting data with the session key; and 
downloading the encrypted data to the client computer. 



24. A computer-readable medium having computer-executable instructions stored thereon 
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to cause a client computer toV)erform a method comprising: 

entering into a secure cbnnection with a server computer; 

obtaining a session key ^ecific to the secure connection; 

receiving data encrypted with the session key from the server computer 

storing the encrypted dataion a persistent storage; and 

securing the session key wtth a storage key. 




47 



